{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T19:05:43.814","vulnerabilities":[{"cve":{"id":"CVE-2026-31801","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T21:16:49.850","lastModified":"2026-03-18T19:30:20.843","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != \"latest\". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15."},{"lang":"es","value":"zot es un registro de imágenes/artefactos de contenedores basado en la Especificación de Distribución de Open Container Initiative. Desde la versión 1.3.0 hasta la 2.1.14, el middleware de autorización dist-spec de zot infiere la acción requerida para PUT /v2/{name}/manifests/{reference} como 'crear' por defecto, y solo cambia a 'actualizar' cuando la etiqueta ya existe y reference != 'latest'. Como resultado, cuando 'latest' ya existe, un usuario al que se le permite crear (pero no se le permite actualizar) aún puede pasar la verificación de autorización para un intento de sobrescritura de 'latest'. Esta vulnerabilidad se corrige en la versión 2.1.15."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*","versionStartIncluding":"1.3.0","versionEndExcluding":"2.1.15","matchCriteriaId":"221F7F0D-2FD7-45AB-9A1A-5F1AFA35153F"}]}]}],"references":[{"url":"https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}